strapi is vulnerable to arbitrary file upload. The vulnerability exists in the module.exports
function in content-api.js
due to improper validation of the upload files, allowing an attacker to upload a maliciously crafted file and remotely execute arbitrary code on the system.
docs.strapi.io/dev-docs/configurations/public-assets
docs.strapi.io/user-docs/users-roles-permissions/configuring-administrator-roles
github.com/advisories/GHSA-4vm8-j95f-j6v5
github.com/bypazs/strapi
github.com/strapi/strapi/blob/d9277d616b4478a3839e79e47330a4aaf167a2f1/packages/core/content-type-builder/admin/src/components/AllowedTypesSelect/index.js#L14
github.com/strapi/strapi/blob/d9277d616b4478a3839e79e47330a4aaf167a2f1/packages/core/upload/admin/src/components/MediaLibraryInput/index.js#L33
github.com/strapi/strapi/commit/aeb21ff85e23fc29aae03374b6ab5ad4590f01bd
github.com/strapi/strapi/pull/13105
grimthereaperteam.medium.com/strapi-v4-1-12-unrestricted-file-upload-b993bfd07e4e